1# 2# Rules to allow the Android CTS to run. 3# Do not enable in production policy. 4# 5 6bool android_cts false; 7if (android_cts) { 8# Reads /proc/pid entries to check that no unexpected root 9# processes are running. 10allow appdomain domain:dir r_dir_perms; 11allow appdomain domain:{ file lnk_file } r_file_perms; 12 13# Will still fail when trying to read other app /proc/pid 14# entries due to MLS constraints. Just silence the denials. 15dontaudit appdomain appdomain:dir r_dir_perms; 16dontaudit appdomain appdomain:file r_file_perms; 17 18# Walk the file tree, stat any file. 19allow appdomain file_type:dir r_dir_perms; 20allow appdomain fs_type:dir r_dir_perms; 21allow appdomain dev_type:dir r_dir_perms; 22allow appdomain file_type:dir_file_class_set getattr; 23allow appdomain dev_type:dir_file_class_set getattr; 24allow appdomain fs_type:dir_file_class_set getattr; 25 26# Execute the shell or other system executables. 27allow appdomain shell_exec:file rx_file_perms; 28allow appdomain system_file:file rx_file_perms; 29 30# Accesses to apk_tmp_file and shell_data_file 31allow appdomain apk_tmp_file:file rw_file_perms; 32allow appdomain shell_data_file:file r_file_perms; 33 34# Read permission over link file to devices. 35allow appdomain dev_type:lnk_file read; 36 37# Read routing information. 38allow netdomain self:netlink_route_socket { create read write nlmsg_read }; 39 40# Tries to open /dev/alarm for writing but expects failure. 41dontaudit appdomain alarm_device:chr_file write; 42 43# Tries to create and use a netlink kobject uevent socket 44# to test for a vulnerable vold. 45dontaudit appdomain self:netlink_kobject_uevent_socket create; 46 47# Tries to override DAC restrictions but expects to fail. 48dontaudit shell self:capability dac_override; 49} 50